Merge pull request #522 from cbosdo/proxy-selinux-config

Relabel proxy configuration files on SELinux
uyuni-project · Jan 20, 2025 · 3450465 · 3450465
2 parents 58ef87c + 030d27f
commit 3450465
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 4 deletions.
diff --git a/mgrpxy/shared/podman/podman.go b/mgrpxy/shared/podman/podman.go
@@ -68,6 +68,11 @@ func GenerateSystemdService(
 	}
 
 	// Httpd
+	volumeOptions := ""
+	if podman.IsSELinuxEnabled() {
+		volumeOptions = ",z"
+	}
+
 	{
 		dataHttpd := templates.HttpdTemplateData{
 			Volumes:       shared_utils.ProxyHttpdVolumes,
@@ -80,8 +85,8 @@ func GenerateSystemdService(
 				return err
 			}
 			additionHttpdTuningSettings = fmt.Sprintf(
-				`Environment=HTTPD_EXTRA_CONF=-v%s:/etc/apache2/conf.d/apache_tuning.conf:ro`,
-				absPath,
+				`Environment=HTTPD_EXTRA_CONF=-v%s:/etc/apache2/conf.d/apache_tuning.conf:ro%s`,
+				absPath, volumeOptions,
 			)
 		}
 		if err := generateSystemdFile(dataHttpd, "httpd", httpdImage, additionHttpdTuningSettings); err != nil {
@@ -110,8 +115,8 @@ func GenerateSystemdService(
 				return err
 			}
 			additionSquidTuningSettings = fmt.Sprintf(
-				`Environment=SQUID_EXTRA_CONF=-v%s:/etc/squid/conf.d/squid_tuning.conf:ro`,
-				absPath,
+				`Environment=SQUID_EXTRA_CONF=-v%s:/etc/squid/conf.d/squid_tuning.conf:ro%s`,
+				absPath, volumeOptions,
 			)
 		}
 		if err := generateSystemdFile(dataSquid, "squid", squidImage, additionSquidTuningSettings); err != nil {

diff --git a/shared/podman/selinux.go b/shared/podman/selinux.go
@@ -0,0 +1,14 @@
+// SPDX-FileCopyrightText: 2024 SUSE LLC
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package podman
+
+import "github.com/rs/zerolog"
+
+// IsSELinuxEnabled reports whether SELinux is enabled or not.
+// It relies on selinuxenabled tool.
+func IsSELinuxEnabled() bool {
+	_, err := runCmdOutput(zerolog.DebugLevel, "selinuxenabled")
+	return err == nil
+}
diff --git a/shared/podman/selinux_test.go b/shared/podman/selinux_test.go
@@ -0,0 +1,34 @@
+// SPDX-FileCopyrightText: 2024 SUSE LLC
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package podman
+
+import (
+	"errors"
+	"fmt"
+	"testing"
+
+	"github.com/rs/zerolog"
+	"github.com/uyuni-project/uyuni-tools/shared/testutils"
+)
+
+func TestIsSELinuxEnabled(t *testing.T) {
+	type testType struct {
+		err      error
+		expected bool
+	}
+
+	cases := []testType{
+		{nil, true},
+		{errors.New("no such program selinuxenabled"), false},
+	}
+
+	for i, testCase := range cases {
+		runCmdOutput = func(_ zerolog.Level, _ string, _ ...string) ([]byte, error) {
+			return []byte(""), testCase.err
+		}
+		caseString := fmt.Sprintf("case %d: ", i)
+		testutils.AssertEquals(t, caseString+"unexpected return value", testCase.expected, IsSELinuxEnabled())
+	}
+}
diff --git a/uyuni-tools.changes.cbosdo.proxy-selinux-config b/uyuni-tools.changes.cbosdo.proxy-selinux-config
@@ -0,0 +1 @@
+- Relabel proxy config files on SELinux (bsc#1235658)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- Relabel proxy config files on SELinux (bsc#1235658)